samba - Dec 2015 - How can I change the localSID for a SAMBA Server?

On 15/12/15 22:27, Tetra wrote:
> On 15.12.2015 22:16, Byron Bogaert wrote:
>> We need to change the SID on a standalone server because it needs to 
>> also
>> act as a File Server. The authentication comes from LDAP, and we have
>> existing entries in LDAP for SID of the domain. Instead of change all 
>> the
>> SID in ldap, we would like to be able to change it on the server.
>
> I noticed something similar (though while testing on some older 
> samba-3 standalone servers, where I wanted to see if I could use ldap
> instead of a rsync replicated smbpasswd file by setting the same SID on
> all servers.)
>
> The SID is locally stored in secure.tdb and you can see it with tdbtool
> (though in hex, and need to know that the last three 10-digit numbers 
> in the SID are 32-bits or 4-Byte each)
>
> Seems net setlocalsid changed the sid in secrets.tdb, but the server
> finds its SID in LDAP after that is set up in smb.conf, and there it 
> was not changed.
>
> I solved it by also changing it manually on the LDAP server, or made
> sure that the sid was changed locally before starting up smbd with LDAP
> configured, or deleted the LDAP entry for the server and restarted smbd
> so it was generated anew.
>
> YMMV.
>
>
The problem is that the machine is supposed to be a standalone server 
and how can it be one, if it has the same SID as another machine, or am 
I missing something? Surely, if it does have the same SID, you are 
talking a basic domain.

As long as the computer can get the users details from ldap and the 
underlying OS can see this info, it shouldn't make any difference what 
its SID is i.e. as long as 'getent passwd <a user in ldap>'
returns the
required info.

Rowland

On 15.12.2015 23:40, Rowland penny wrote:
> The problem is that the machine is supposed to be a standalone server
> and how can it be one, if it has the same SID as another machine, or am
> I missing something?Surely, if it does have the same SID, you are
> talking a basic domain.
No, if it is a standalone server, it doesn't really care about what SID 
itself has (localsid), but the test I did showed that it did care about 
what SID a user had. ...
> As long as the computer can get the users details from ldap and the
> underlying OS can see this info, it shouldn't make any difference what
> its SID is i.e. as long as 'getent passwd <a user in ldap>'
returns the
> required info.
If the server has a sid of S-1-5-21-x-y-z the user must have a SID + rid 
(relative id) that matches, e.g. S-1-5-21-x-y-z-1000. If not I couldn't 
log on to the share. So I decided on an easy to remember SID and a 
generic domain name of SAMBA and added all users to LDAP with this as 
sambaSID and sambaDomainName (using the tool LDAP Account Manager Pro 
from Roland Gruber). When I then add all servers with same SID, I manage 
to log on to the fileshares.

This was for testing how I in a simple way could replace a system with 
standalone servers with a smbpasswd file where all the users were 
created on one of them, then the smbpasswd file was rsynced to the 
others. (The unix/linux users and groups were the same on all servers 
thanks to NIS, now being replaced with LDAP.)

We don't need a domain for this system. The PCs used are currently not 
in a domain at all, the Linux PCs will not, the Macs like not, and there 
are even some Windows Home PCs that cannot join a domain. The Samba 
servers are just for providing file shares in a way Windows recognizes. 
We don't want it to be possible to make users or change password locally 
on the samba servers, all that should be done in the LDAP Account 
Manager (It can update linux and samba password at the same time.)

I haven't concluded yet, if this is how to do it, but it seems it is a 
possible way of doing it.

Hi Tetra,

This is the way we are currently looking at building our SAMBA file server.
The reason why we would like to change the SID on the SAMBA server is so we
do not need to change all the existing entries in ldap to be  SID + rid.

-Byron

-- 
*Byron Bogaert*

*IT System Administrator*
Wikimedia Foundation

Imagine a world in which every single human being can freely share in the
sum of all knowledge. Help us make it a reality!
https://donate.wikimedia.org

On Tue, Dec 15, 2015 at 4:35 PM, Tetra <terjet-list at funcom.com> wrote:
> On 15.12.2015 23:40, Rowland penny wrote:
>
>> The problem is that the machine is supposed to be a standalone server
>> and how can it be one, if it has the same SID as another machine, or am
>> I missing something?Surely, if it does have the same SID, you are
>> talking a basic domain.
>>
>
> No, if it is a standalone server, it doesn't really care about what SID
> itself has (localsid), but the test I did showed that it did care about
> what SID a user had. ...
>
> As long as the computer can get the users details from ldap and the
>> underlying OS can see this info, it shouldn't make any difference
what
>> its SID is i.e. as long as 'getent passwd <a user in
ldap>' returns the
>> required info.
>>
>
> If the server has a sid of S-1-5-21-x-y-z the user must have a SID + rid
> (relative id) that matches, e.g. S-1-5-21-x-y-z-1000. If not I couldn't
log
> on to the share. So I decided on an easy to remember SID and a generic
> domain name of SAMBA and added all users to LDAP with this as sambaSID and
> sambaDomainName (using the tool LDAP Account Manager Pro from Roland
> Gruber). When I then add all servers with same SID, I manage to log on to
> the fileshares.
>
> This was for testing how I in a simple way could replace a system with
> standalone servers with a smbpasswd file where all the users were created
> on one of them, then the smbpasswd file was rsynced to the others. (The
> unix/linux users and groups were the same on all servers thanks to NIS, now
> being replaced with LDAP.)
>
> We don't need a domain for this system. The PCs used are currently not
in
> a domain at all, the Linux PCs will not, the Macs like not, and there are
> even some Windows Home PCs that cannot join a domain. The Samba servers are
> just for providing file shares in a way Windows recognizes. We don't
want
> it to be possible to make users or change password locally on the samba
> servers, all that should be done in the LDAP Account Manager (It can update
> linux and samba password at the same time.)
>
> I haven't concluded yet, if this is how to do it, but it seems it is a
> possible way of doing it.
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 2015-12-16 at 01:35 +0100, Tetra wrote:
> We don't need a domain for this system. The PCs used are currently
> not 
> in a domain at all, the Linux PCs will not, the Macs like not, and
> there 
> are even some Windows Home PCs that cannot join a domain. The Samba 
> servers are just for providing file shares in a way Windows
> recognizes. 
> We don't want it to be possible to make users or change password
> locally 
> on the samba servers, all that should be done in the LDAP Account 
> Manager (It can update linux and samba password at the same time.)
> 
> I haven't concluded yet, if this is how to do it, but it seems it is
> a 
> possible way of doing it.
> 
Even if you don't think of the various Samba servers offering file
shares as being in a domain, if they share a password database, the
only supported way of doing so is if they are domain controllers.

If you have nothing joined to the domain, it is harmless for the severs
to also be a PDC or BDC of an NT4-like domain, and by doing so you step
back inside the supported envelope, rather than hacking a currently
-mostly working solution outside it. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba